Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

The same proved by hackers on Friday, when more than 2,000 computer systems at San Francisco’s public transit agency were apparently got hacked.

San Francisco’s Municipal Transportation Agency, also known as MUNI, offered free rides on November 26th after MUNI station payment systems and schedule monitors got hacked by ransomware and station screens across the city started displaying a message that reads:

According to the San Francisco Examiner, MUNI confirmed a Ransomware attack against the station fare systems, which caused them to shut down ticket kiosks and make rides free for weekend.

As you can see, the above message delivered by the malware followed by an email address and ID number, which can then be used to arrange ransom payments.

MUNI Spokesman Paul Rose said his agency was investigating the matter and “working to resolve the situation,” but did not provide details as of how MUNI got hacked.

“We are currently working to resolve the situation,” said Rose. “There is an ongoing investigation, and it wouldn’t be appropriate to provide additional details.”

Trains themselves were not affected by the malware attack, and the MUNI claimed that the payments were resumed on the morning of November 27th. The MUNI looks after trains, trams and buses around the city, including San Francisco’s iconic cable cars.

It is yet not clear exactly who was responsible for the attack (besides a pseudonym “Andy Saolis“), but according to local media reports, the agency’s computers were being held by ransomware until the MUNI paid the equivalent of more than $73,000 in Bitcoin.

Andy Saolis is a pseudonym commonly used in HDDCryptor ransom attacks, which uses commercial tools to encrypt hard drives and network shares on Windows machines using randomly generated keys and then overwrite the hard disks’ MBRs to prevent systems from booting up properly.

The target machine is typically infected by accidentally opening a malicious executable in an email or download, and then the malware spreads out across the network.

The email address, cryptom27@yandex.com, used by anonymous criminal points the city to a Russian email address to arrange payment and has been linked to other cyber attacks as well.

The Hacker Linked to a Previous Ransomware Starin

When reaching at the provided email, the hacker provided a statement in broken English, which read:

“We don’t attention to interview and propagate news! Our software working completely automatically and we don’t have targeted attack to anywhere! SFMTA network was Very Open and 2000 Server/PC infected by software! So we are waiting for contact any responsible person in SFMTA but I think they don’t want deal ! so we close this email tomorrow!”

The same email address, cryptom27@yandex.com, was linked to a ransomware strain called Mamba in September. The ransomware employs tactics similar to those demonstrated against the MUNI systems.

The hacker provided hoodline a list of systems the hacker claimed to have infected in Muni’s network, which came out to be 2,112 of the total 8,656 computer networks. The hacker also said that the MUNI had “one more day” to make a deal.

Not much about the hack is known; the extent of the hack and hacker’s identity remain a mystery for now, but the incident once again reminds us that how vulnerable our critical infrastructure remains.